c6de0fd155
Remove a stray ct:pal/2 call in production code
...
References #4588 , #4666
2022-04-29 16:01:00 +04:00
ca290f1116
OAuth 2: expand all scope aliases provided
...
Per discussion with @MarcialRosales.
In follow-up to #4588 .
2022-04-27 21:21:40 +04:00
0862199b9e
OAuth 2: initial scope aliasing test
2022-04-21 14:16:46 +04:00
a2a54686e7
OAuth 2: initial work on scope aliases
...
Per discussion with @MarcialRosales, we try to fetch
aliases from two sources, based on feedback from two different
users who seemingly rely on the same family of identity
provider products:
* Use the JWT scope field value first
* Use extra_scopes_source app env setting second
Just like with the existing extra scopes/complex claim
support originally contributed for Keycloak/identityProvider,
we merge all these scopes obtained from "alternative sources"
with the value of the JWT scopes field. This implicitly
assumes that the result makes sense semantically and
there will not be conflicting scopes. That's on the user to
make sure of.
References #4588
2022-04-20 14:29:31 +04:00
c38a3d697d
Bump (c) year
2022-03-21 01:21:56 +04:00
4a2f61a49a
Fix usage of add_uaa_key command
...
Switch is --pem-file, not --pem_file.
2022-03-09 16:24:05 +01:00
ea8ad0e3e3
Add timeout for httpc request
2021-12-14 11:28:33 +07:00
093a04323b
Add configurable crl_check and fail_if_no_peer_cert
...
- Add configuration: crl_check, fail_if_no_peer_cert
- Correct configuration: hostname_verification
2021-12-14 11:28:33 +07:00
118e44c10e
Add wildcard configuration
...
A "wildcard" configuration is added to enable key server verification with wildcard certificate
2021-12-14 11:28:33 +07:00
a9bc1c0ce9
Update README.md
...
- Update new configuration document
- Add configurable "depth" for key server verification
2021-12-14 11:28:33 +07:00
8c541fb047
Set peer_verification default as verify_none
2021-12-14 11:28:33 +07:00
1615cbfb8b
Update better configuration names
...
- "strict" changes to "https.peer_verification"
- "cacertfile" changes to "https.cacertfile"
2021-12-14 11:28:33 +07:00
dd685f1179
Oauth2 plugin improvements
...
- Validate JWKS server when getting keys
- Restrict usable algorithms
2021-12-14 11:28:33 +07:00
98e71c45d8
Perform xref checks on many tier-1 plugins
2021-05-21 12:03:22 +02:00
97ff62d3b2
Drop trailing newlines from logged messages where possible
...
Lager strips trailing newline characters but OTP logger with the default
formatter adds a newline at the end. To avoid unintentional multi-line log
messages we have to revisit most messages logged.
Some log entries are intentionally multiline, others
are printed to stdout directly: newlines are required there
for sensible formatting.
2021-03-11 15:17:37 +01:00
68dd52e577
Move jwks_http modules into the test folder
2021-02-18 17:11:21 +01:00
1a3d68be37
JWKS tests
2021-02-05 11:23:10 +01:00
480f7eaadf
Support fetching JWT signing keys from JWKS endpoint
2021-02-03 17:09:54 +01:00
52479099ec
Bump (c) year
2021-01-22 09:00:14 +03:00
57716223e0
Add support for using extra scopes standalone
...
This commit makes it possible to use additional sources of scopes in a token
standalone, without the need of combining them with existing ones.
2020-09-16 16:30:24 +02:00
9b0e853799
Simplify post_process_payload_keycloak
2020-09-01 17:17:15 +02:00
f0d39cb4e2
Switch to Mozilla Public License 2.0 (MPL 2.0)
2020-07-10 20:27:35 +01:00
7dcc11cdfd
Update copyright (year 2020)
2020-03-10 16:05:48 +01:00
28080e1e2c
Log authentication rejection messages
...
Normally when auth fails, we simply log that it failed for a given
username. Since the username is ignored with the auth mechanism,
this does not provide sufficient context for debugging config
errors.
2020-03-09 12:49:48 +01:00
8d4b3439f9
Avoid using erlang:get_stacktrace/0 for improved OTP 23/24 compat
2020-02-27 22:22:32 +03:00
e4870b9c70
(c) bump
2019-12-29 05:50:24 +03:00
e936e82292
Move up aud/scope binary to array conversion
...
This way scope is always an array which makes it easier for downstream
processing.
References #41
2019-12-05 14:26:17 +01:00
d9073fba8d
Make this code less unorthodox, take 2
...
Also improves naming a bit.
2019-12-05 10:28:37 +03:00
7d2b069cbd
Make this code less unorthodox, take 1
2019-12-05 10:12:51 +03:00
9a230b0aeb
Resolve PR comments - rename variables.
2019-12-05 05:29:12 +01:00
3a04670a45
Implement support for gathering scopes from predefined JWT section and combine them with existing ones in post_process_payload () method. Create unit_SUITE and system_SUITE test cases.
2019-12-04 19:14:08 +01:00
f3405e46fa
Support Keycloak token format in post-processing
...
Scopes from the "authorization" field are extracted and replace the
value of the "scope" key in the parsed and processed token.
Fixes #37
2019-08-21 10:34:20 +02:00
16968e8c66
Remove unnecessary console output
2019-07-24 09:04:58 +02:00
49f1b6b043
Support simple strings in aud and scope fields
...
Simple strings are supported, strings with spaces are split into arrays.
The strings are split upfront, the Erlang representation of the token
does not change, to avoid impacts in the code downstream.
Fixes #24
2019-07-12 09:45:02 +02:00
5f44635d05
uaa_jwt:get_jwk/1: return an error if there are no configured signing keys
...
Closes #30 .
2019-07-10 18:52:59 +03:00
833bb4cec9
Deal with unused parameter
2019-07-10 15:47:57 +02:00
cb81b0748f
Remove extra parameters from output call
2019-07-10 15:12:48 +02:00
ae8b61a8aa
Check token expiration on authentication
2019-07-02 15:27:13 +02:00
d44e4bce59
Integration tests for JWT token/secret updates; improved error reporting
2019-07-01 21:20:57 +02:00
8a8bda0369
More OAuth 2 token refresh tests (WIP)
2019-07-01 16:48:53 +02:00
e80c125f0b
Implement secret (token) update
2019-06-27 22:08:18 +02:00
975e2bf177
Extract a constant
2019-06-27 16:04:58 +02:00
7e0ebb0fb1
Extract a constant
2019-06-27 16:04:34 +02:00
1bc504d297
Token/state renewal stub
2019-06-27 11:19:33 +02:00
4f9a4f0ac2
Add protocol-specific context
...
Just an update of check_resource_access/3 to check_resource_access/4,
the OAuth has no use of protocol-specific data for now.
References rabbitmq/rabbitmq-server#1767
2019-06-04 14:50:59 +02:00
8cb7b00642
URL Cleanup
...
This commit updates URLs to prefer the https protocol. Redirects are not followed to avoid accidentally expanding intentionally shortened URLs (i.e. if using a URL shortener).
# HTTP URLs that Could Not Be Fixed
These URLs were unable to be fixed. Please review them to see if they can be manually resolved.
* http://blog.listincomprehension.com/search/label/procket (200) with 1 occurrences could not be migrated:
([https](https://blog.listincomprehension.com/search/label/procket ) result ClosedChannelException).
* http://dozzie.jarowit.net/trac/wiki/TOML (200) with 1 occurrences could not be migrated:
([https](https://dozzie.jarowit.net/trac/wiki/TOML ) result SSLHandshakeException).
* http://dozzie.jarowit.net/trac/wiki/subproc (200) with 1 occurrences could not be migrated:
([https](https://dozzie.jarowit.net/trac/wiki/subproc ) result SSLHandshakeException).
* http://e2project.org (200) with 1 occurrences could not be migrated:
([https](https://e2project.org ) result AnnotatedConnectException).
* http://nitrogenproject.com/ (200) with 2 occurrences could not be migrated:
([https](https://nitrogenproject.com/ ) result ConnectTimeoutException).
* http://proper.softlab.ntua.gr (200) with 1 occurrences could not be migrated:
([https](https://proper.softlab.ntua.gr ) result SSLHandshakeException).
* http://yaws.hyber.org (200) with 1 occurrences could not be migrated:
([https](https://yaws.hyber.org ) result AnnotatedConnectException).
* http://choven.ca (503) with 1 occurrences could not be migrated:
([https](https://choven.ca ) result ConnectTimeoutException).
# Fixed URLs
## Fixed But Review Recommended
These URLs were fixed, but the https status was not OK. However, the https status was the same as the http request or http redirected to an https URL, so they were migrated. Your review is recommended.
* http://fixprotocol.org/ (301) with 1 occurrences migrated to:
https://fixtrading.org ([https](https://fixprotocol.org/ ) result SSLHandshakeException).
* http://erldb.org (UnknownHostException) with 1 occurrences migrated to:
https://erldb.org ([https](https://erldb.org ) result UnknownHostException).
## Fixed Success
These URLs were switched to an https URL with a 2xx status. While the status was successful, your review is still recommended.
* http://cloudi.org/ with 27 occurrences migrated to:
https://cloudi.org/ ([https](https://cloudi.org/ ) result 200).
* http://erlware.org/ with 1 occurrences migrated to:
https://erlware.org/ ([https](https://erlware.org/ ) result 200).
* http://inaka.github.io/cowboy-trails/ with 1 occurrences migrated to:
https://inaka.github.io/cowboy-trails/ ([https](https://inaka.github.io/cowboy-trails/ ) result 200).
* http://ninenines.eu with 6 occurrences migrated to:
https://ninenines.eu ([https](https://ninenines.eu ) result 200).
* http://www.actordb.com/ with 2 occurrences migrated to:
https://www.actordb.com/ ([https](https://www.actordb.com/ ) result 200).
* http://www.cs.kent.ac.uk/projects/wrangler/Home.html with 1 occurrences migrated to:
https://www.cs.kent.ac.uk/projects/wrangler/Home.html ([https](https://www.cs.kent.ac.uk/projects/wrangler/Home.html ) result 200).
* http://www.rabbitmq.com/access-control.html with 2 occurrences migrated to:
https://www.rabbitmq.com/access-control.html ([https](https://www.rabbitmq.com/access-control.html ) result 200).
* http://www.rabbitmq.com/configure.html with 1 occurrences migrated to:
https://www.rabbitmq.com/configure.html ([https](https://www.rabbitmq.com/configure.html ) result 200).
* http://www.rebar3.org with 1 occurrences migrated to:
https://www.rebar3.org ([https](https://www.rebar3.org ) result 200).
* http://inaka.github.com/apns4erl with 1 occurrences migrated to:
https://inaka.github.com/apns4erl ([https](https://inaka.github.com/apns4erl ) result 301).
* http://inaka.github.com/edis/ with 1 occurrences migrated to:
https://inaka.github.com/edis/ ([https](https://inaka.github.com/edis/ ) result 301).
* http://lasp-lang.org/ with 1 occurrences migrated to:
https://lasp-lang.org/ ([https](https://lasp-lang.org/ ) result 301).
* http://saleyn.github.com/erlexec with 1 occurrences migrated to:
https://saleyn.github.com/erlexec ([https](https://saleyn.github.com/erlexec ) result 301).
* http://www.mozilla.org/MPL/ with 6 occurrences migrated to:
https://www.mozilla.org/MPL/ ([https](https://www.mozilla.org/MPL/ ) result 301).
* http://zhongwencool.github.io/observer_cli with 1 occurrences migrated to:
https://zhongwencool.github.io/observer_cli ([https](https://zhongwencool.github.io/observer_cli ) result 301).
# Ignored
These URLs were intentionally ignored.
* http://localhost:8080/uaa/oauth/token with 1 occurrences
2019-03-20 03:11:57 -05:00
0e19df0ce4
Rename uaa_jwt app env setting to key_config
...
See this comment for context:
https://github.com/rabbitmq/rabbitmq-auth-backend-oauth2/pull/18#issuecomment-409016622
2018-07-31 15:51:20 -07:00
4bd726b5d4
uaa_jwt is no longer a separate application
...
In order for uaa_jwt settings to be populated by config files, they have to be part of a defined and running application. This PR adds support for a uaa_jwt sub-key of the main rabbitmq_auth_backend_oauth2 env key.
2018-07-20 15:25:09 -07:00
613e35be64
Miscellaneous build and doc fixes
...
* Update erlang.mk to resolve S3 bucket issue
* Update README to indicate that tokens need to be in the password field when clients log in
2018-07-19 15:44:37 -07:00
f0178d7729
rabbitmq_auth_backend_uaa => rabbitmq_auth_backend_oauth2
...
"OAuth 2" is many things but it's still more descriptive, open-ended and easier
to find than "uaa" (too tool-specific) or "jwt" (too narrow, not known widely enough).
Per discussion with @hairyhum @kjnilsson.
2018-07-19 22:20:57 +03:00
5b002c5eab
Fold uaa_jwt into this plugin
...
Per discussion with @hairyhum.
2018-07-19 19:22:47 +03:00
6618c21b1f
More integration tests
...
[#158782152 ]
[#158782156 ]
2018-07-19 14:40:18 +03:00
821f54c92a
More integration tests
...
[#158782152 ]
[#158782156 ]
2018-07-18 18:15:50 +03:00
37366191f2
Extract tags from the provided JWT token
...
Pair: @acogoluegnes.
[#158782152 ]
[#158782156 ]
2018-07-09 18:26:53 +03:00
ff5fdc0829
Logging, naming
...
[#158782152 ]
[#158782156 ]
2018-07-09 08:51:08 +03:00
915c45390c
Adopt uaa_jwt:client/2 and uaa_jwt:sub/2
...
[#158782152 ]
[#158782156 ]
2018-07-09 07:20:57 +03:00
e5c84c31fa
Pass decoded token so that effective username is computed from it
...
[#158782152 ]
[#158782156 ]
2018-07-06 17:35:34 +03:00
cb4dfba58a
Expect access token in the password field
...
We cannot pass access tokens in the username since
those are logged and displayed by operator tools.
Per discussion with @acogoluegnes.
[#158782152 ]
[#158782156 ]
2018-07-05 19:50:12 +03:00
54bf34d9c7
Wording
...
[#158782152 ]
[#158782156 ]
2018-07-03 20:02:48 +03:00
7a758a2ece
More test massaging, remove debug logging
...
[#158782152 ]
[#158782156 ]
2018-07-03 16:27:58 +03:00
4cc2cfef89
Split and simplify unit tests; naming
2018-07-03 02:15:51 +03:00
7cf71b01a6
Better errors when validating the decoded token
2018-06-25 15:51:29 +01:00
032be9763b
Use erlang version of uaa_jwt and jose
2018-06-21 17:07:35 +01:00
973ef5ccef
Add support for pem public key
2017-09-20 16:40:56 +01:00
540f3452c9
Handle json parsing error
2017-02-16 15:58:39 +00:00
7b421e6ae1
Return error instead of error_message to comply with authz_backend API
2017-02-08 16:32:59 +00:00
c71c3eb292
Test token expiration
2017-02-03 13:01:24 +00:00
612c9eeacf
Do not decode token every time permission is checked.
...
Decoded token is saved to `impl`.
When permission is checked, the `exp` field of the token
is compared to system_time and if the token is expired
`{error_message, "Token expired"}` is returned.
2017-02-02 18:31:01 +00:00
a07b4485e6
Test key validation when adding via cli command
2017-02-02 12:25:38 +00:00
78bb2044fb
Test command validation
2017-02-02 11:29:25 +00:00
df197ad5b9
Command to add UAA signing keys
2017-02-01 17:15:10 +00:00
759d66263b
Decode and verify UAA JWT tokens without connecting to UAA server
...
Fixes #3
Uses rabbitmq/uaa_jwt library to decode a token and verify signature.
Signing keys should be predefined in the uaa_jwt application environment
2017-01-27 11:32:14 +00:00
42e401e900
invalid_resource_authorization => resource_server_authentication_failed
...
HTTP 401 response can indicate an authorization failure as well
but let's assume authentication failures will be more common in this
specific case.
2017-01-27 01:51:48 +03:00
ff88614186
Wording
2017-01-27 01:34:47 +03:00
a53e4d3cb9
Support topic authorization
2017-01-24 17:26:59 +00:00
dfc61ec18f
Change scope to permission mapping
2016-12-20 13:13:18 +00:00
ff84dfae52
Support for custom resource kinds
2016-02-16 12:36:38 +00:00
b5c47a75f6
Resource ID filtering
2016-02-16 12:22:49 +00:00
4835e0b3af
Indent
2016-01-20 14:24:06 +00:00
99279bd10f
Tests
2016-01-20 14:04:14 +00:00
db72e7d9e3
Tesing on working UAA
2016-01-18 18:05:45 +00:00
0109fab275
Resource id. Scopes README
2016-01-15 17:03:31 +00:00
d6888dafb0
wrong arity
2016-01-15 16:51:16 +00:00
f0a5693939
rabbitmq_oauth2_scope from oauth backend
2016-01-15 16:50:25 +00:00
47da90b652
Init. Make request to /check_token
2016-01-15 14:50:21 +00:00
Michael Klishin
Michael Klishin
Arnaud Cogoluègnes
Anh Thi Lan Nguyen
Philip Kuryloski
Teo Klestrup Röijezon
Robert Gustafsson
Simon Alling
dcorbacho
Jean-Sébastien Pédron
Philip Kuryloski
Michal Papuga
Michael Klishin
Spring Operator
Luke Bakken
Daniil Fedotov
Daniil Fedotov